Unifi log parsing | CrowdSec | Page 1

red siren Feb 15, 2025, 7:54 PM

#

I have set up my UBNT EdgeRouter to send logs to crowdsec via syslog. I have added crowdsecurity/unifi. I have the acquisition configured with type unifi. According to the instructions here https://app.crowdsec.net/hub/author/crowdsecurity/collections/unifi. I can see the stats and although I am only sending relevant log entries over, the stats say all lines are unparsed.

I tried to run explain on a raw log entry with the type specified as unifi as the type. It shows the entry was parsed by non-syslog parser instead of the unifi-logs. If I specify type as syslog, it fails to be parsed by anything and I see that the unifi-logs is just below non-syslog.

I don't know if this is a red herring and there is some other reason for not parsing logs.

CrowdSec Console

Hub collection

Use CrowdSec Console to visualize security data, manage dynamic blocklists, and gain real-time intelligence on IPs. Enhance your threat response capabilities.

mint elkBOT Feb 15, 2025, 7:54 PM

#

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

mint elkBOT Feb 15, 2025, 8:24 PM

#

mint elk

Resolving Unifi log parsing

#

This has now been resolved. If you think this is a mistake please run /unresolve

red siren Feb 15, 2025, 8:26 PM

#

I switched the acquisition type to syslog and it seems to be parsing now.

narrow marsh Feb 16, 2025, 1:50 PM

#

@red siren Known issue: https://github.com/crowdsecurity/hub/issues/940

GitHub

Unifi OS 3 aren't being parsed · Issue #940 · crowdsecurity/hub

Describe the bug Unifi OS 3 and newer logs are not being parsed correctly, resulting in detection scenarios such as port scanning not working correctly. To Reproduce Install the unifi collection cs...

#Unifi log parsing